adding gnupg-pkcs11-scd

githedgehog · Apr 26, 2023 · 93b4a7d · 93b4a7d
1 parent d2c0f36
commit 93b4a7d
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 1 deletion.
diff --git a/NOTES.md b/NOTES.md
@@ -0,0 +1,19 @@
+# NOTES
+
+Random due command lines and stuff.
+This is essentially a scratchpad right now:
+
+```console
+ONIE_USE_SYSTEM_DOWNLOAD_CACHE=TRUE
+
+duebuild --use-directory $HOME/git/onie/build-config --machine qemu_armv8a --jobs 1 --build-targets "all recovery-iso"
+
+
+
+due --build --use-directory $HOME/git/onie/build-config --machine qemu_armv8a --jobs 1 --build-targets "all recovery-iso"
+
+due -c --platform linux/amd64 --name honie-build --prompt HONIE --tag honie --use-template honie --from debian:11
+
+**Example:** due --run --build --jobs 4 --machine kvm_x86_64 --build-targets all demo recovery-iso  
+**Example:** due --run --build --jobs 4 --machine accton_as7112_54x --build-targets all demo recovery-iso  
+```
diff --git a/honie/post-install-config.sh.template b/honie/post-install-config.sh.template
@@ -296,9 +296,10 @@ fi
 
 # HONIE additions
 # it's horrible debugging a build without these two
-apt-get install -y less vim
+apt-get install -y --no-install-recommends less vim
 
 # yubihsm: we need this for kernel building and adding our cert to the kernel
+# as well as signing of kernel images for secure boot support
 YUBIHSM_SHELL_URL="https://developers.yubico.com/yubihsm-shell/Releases/yubihsm-shell-2.4.0-debian11-amd64.tar.gz"
 wget $YUBIHSM_SHELL_URL || exit 1
 tar xvf yubihsm-shell-2.4.0-debian11-amd64.tar.gz
@@ -313,4 +314,21 @@ apt-get install -y -f ./yubihsm-auth_2.4.0_amd64.deb
 apt-get install -y -f ./yubihsm-shell_2.4.0_amd64.deb
 apt-get install -y -f ./yubihsm-wrap_2.4.0_amd64.deb
 
+# to be able to PGP sign the grub files for SECURE_GRUB support
+# we need to bring in gnupg-pkcs11-scd to support that with our HSM
+# unfortunately, we have to compile it, as the Debian shipped version 0.9.2 didn't work
+apt-get install -y --no-install-recommends \
+    libgpg-error0 libgpg-error-dev \
+    libassuan0 libassuan-dev \
+    libgcrypt20 libgcrypt20-dev \
+    libpkcs11-helper1 libpkcs11-helper1-dev
+
+wget https://github.com/alonbl/gnupg-pkcs11-scd/releases/download/gnupg-pkcs11-scd-0.10.0/gnupg-pkcs11-scd-0.10.0.tar.bz2
+tar xf gnupg-pkcs11-scd-0.10.0.tar.bz2
+cd gnupg-pkcs11-scd-0.10.0
+./configure --prefix=/usr
+make
+make install
+cd
+
 echo "Done $0"